1. Forums /
  2. Gaming Lounge /
  3. PS3 /
  4. PS3 Mods and Cheats /
  5. naehrwert discovers a 'Hidden Virtual Machine' inside True Blue
Post: naehrwert discovers a 'Hidden Virtual Machine' inside True Blue
06-03-2012, 12:58 AM #1
FireWire's Avatar
FireWire
I'm done here.
(adsbygoogle = window.adsbygoogle || []).push({}); Today, 'scene' developer naehrwert tweeted that he discovered a 'Hidden Virtual Machine' inside the True Blue dongle by looking through a decrypted dump of the 'payload' supplied to him by oct0xor.

Now 'naehrwert' has already produced some previous neat tools like 'SCETool v2.7' and the 'COSTool', so he just might be onto something on figuring how TB really does function.

You must login or register to view this content.


He has been blogging his progress and so far, and released the following PART 1 that is very 'techie' in details on this hidden VM:

Originally posted by another user
Thanks to You must login or register to view this content. we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:
    Code:

01 1337C0DE00000000 _start:

02 1337C0DE00000000

03 1337C0DE00000000 .set var_58, -0x58

04 1337C0DE00000000 .set arg_10,  0x10

05 1337C0DE00000000

06 1337C0DE00000000         mflr      r0

07 1337C0DE00000004         bl        loc_1337C0DE00000008

08 1337C0DE00000008 1337C0DE00000008 loc_1337C0DE00000008:

09 1337C0DE00000008         mflr      r3

10 1337C0DE0000000C         lis       r4, 0 # 8

11 1337C0DE00000010         addi      r4, r4, 8 # 8

12 1337C0DE00000014         subf.     r3, r4, r3

13 1337C0DE00000018         beq       skip_reloc

14 1337C0DE0000001C         li        r6, 0

15 1337C0DE00000020         oris      r6, r6, 0x1337

16 1337C0DE00000024         ori       r6, r6, 0xC0DE

17 1337C0DE00000028         lis       r4, 1 # 0xA848

18 1337C0DE0000002C         addi      r4, r4, -0x57B8 # 0xA848

19 1337C0DE00000030         lis       r5, 1 # 0x10D18

20 1337C0DE00000034         addi      r5, r5, 0xD18 # 0x10D18

21 1337C0DE00000038         subf.     r5, r4, r5

22 1337C0DE0000003C         beq       skip_reloc

23 1337C0DE00000040         srdi.     r5, r5, 3

24 1337C0DE00000044         mtctr     r5

25 1337C0DE00000048         add       r4, r4, r3

26 1337C0DE0000004C

27 1337C0DE0000004C reloc_loop:

28 1337C0DE0000004C         ld        r5, 0(r4)

29 1337C0DE00000050         srdi      r7, r5, 32

30 1337C0DE00000054         cmpw      r7, r6

31 1337C0DE00000058         bne       skip_rewrite

32 1337C0DE0000005C         clrldi    r5, r5, 32

33 1337C0DE00000060         add       r5, r5, r3

34 1337C0DE00000064         std       r5, 0(r4)

35 1337C0DE00000068

36 1337C0DE00000068 skip_rewrite:

37 1337C0DE00000068         addi      r4, r4, 8

38 1337C0DE0000006C         bdnz      reloc_loop

39 1337C0DE00000070

40 1337C0DE00000070 skip_reloc:

41 1337C0DE00000070         std       r0, arg_10(r1)

42 1337C0DE00000074         stdu      r1, -0x80(r1)

43 1337C0DE00000078         std       r2, 0x80+var_58(r1)

44 1337C0DE0000007C         lis       r4, 1 # 0x17E40

45 1337C0DE00000080         addi      r4, r4, 0x7E40 # 0x17E40

46 1337C0DE00000084         add       r2, r4, r3

47 1337C0DE00000088         bl        payload_main


In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.

As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.
    Code:

1 1337C0DE00002578 vm_push_word_0:

2 1337C0DE00002578         ld        r11, off_1337C0DE00010128 # stack_ptr

3 1337C0DE0000257C         ld        r9, 0(r11)

4 1337C0DE00002580         addi      r0, r9, 4

5 1337C0DE00002584         std       r0, 0(r11)

6 1337C0DE00002588         stw       r3, 4(r9)

7 1337C0DE0000258C         blr


Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.


You must login or register to view this content.

You must login or register to view this content.
(adsbygoogle = window.adsbygoogle || []).push({});

The following 2 users say thank you to FireWire for this useful post:

DEREKTROTTER, slim355
06-03-2012, 03:49 AM #2
partypoker15's Avatar
partypoker15
Call me G
Wayyyyy above my intelligence level.

The following 2 users say thank you to partypoker15 for this useful post:

Chill, TEXAS24_ReStEr
06-03-2012, 08:18 AM #3
xSOADx's Avatar
xSOADx
Banana Joe
Nice, but naehrwert? Thats the most stupid nickname ive ever heard , it means Nutrient Content/ value...

The following user thanked xSOADx for this useful post:

will34

The following 2 users groaned at xSOADx for this awful post:

Ameht!, AtlasK
06-03-2012, 11:13 AM #4
MCPADDINGTON's Avatar
MCPADDINGTON
Banned
Originally posted by soad08 View Post
Nice, but naehrwert? Thats the most stupid nickname ive ever heard , it means Nutrient Content/ value...


Yea because soad08 is such an amazing name. Drack

The following 7 users say thank you to MCPADDINGTON for this useful post:

Alexis Rhodes, Ameht!, AtlasK, ibombo, sciz0r, TEXAS24_ReStEr,

The following 2 users groaned at MCPADDINGTON for this awful post:

ngu me, xSOADx
06-03-2012, 01:12 PM #5
xSOADx's Avatar
xSOADx
Banana Joe
Originally posted by MCPADDINGTON View Post
Yea because soad08 is such an amazing name. Drack


better than naehrwert, and do u even know what soad means? if not stfu

You must login or register to view this content.

The following user thanked xSOADx for this useful post:

amplif1er
06-03-2012, 01:30 PM #6
Ameht!'s Avatar
Ameht!
Dark Knight
Originally posted by soad08 View Post
better than naehrwert, and do u even know what soad means? if not stfu

You must login or register to view this content.



Sounds like another stupid Handle imo , Arguing about handles is childish just like people buying "OG" handles........../facepalm
06-03-2012, 06:50 PM #7
slim355's Avatar
slim355
You talkin to me?
Would I be a million miles off if I said True Blue is emulating PS3 firmware?
Meaning it is possible to emulate 3.55+ firmware on 3.55,
meaning we could play 4.11 games on 3.55 for free if we can find out how this emulation is working.
(obviously this is not in true blue's interest, $$$$)
06-03-2012, 09:37 PM #8
MCPADDINGTON's Avatar
MCPADDINGTON
Banned
Originally posted by soad08 View Post
do u even know what soad means?


Dude it's a name, calm down. Hey look, you got mine. So soad means.........?
06-03-2012, 09:51 PM #9
ichris26's Avatar
ichris26
The Muff Muncher
Originally posted by MCPADDINGTON View Post
Dude it's a name, calm down. Hey look, you got mine. So soad means.........?


"System Of A Down
06-03-2012, 10:02 PM #10
MCPADDINGTON's Avatar
MCPADDINGTON
Banned
Originally posted by ichris26 View Post
"System Of A Down


So a rock band then.

Copyright © 2026, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo